CVE-2023-52973
Published: 27 March 2025
Summary
CVE-2023-52973 is a high-severity Use After Free (CWE-416) vulnerability in Linux Linux Kernel. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2023-52973 is a use-after-free (UAF) vulnerability in the Linux kernel's vc_screen subsystem, located in the vcs_read() function of drivers/tty/vt/vc_screen.c. The flaw occurs because the struct vc_data pointer is loaded after a console_unlock() call, allowing vc_deallocate() to free the structure before it is accessed in vcs_size(), resulting in a UAF. This issue was detected by the Syzkaller fuzzer, with KASAN reporting a read of size 4 at a freed address during vcs_size() execution.
A local attacker with low privileges (AV:L/AC:L/PR:L/UI:N) can exploit this vulnerability, as indicated by its CVSS v3.1 base score of 7.8 (C:H/I:H/A:H/S:U). Exploitation involves triggering vcs_read() on a virtual console device, such as through reads after console operations that lead to deallocation, potentially enabling arbitrary code execution, data corruption, or denial of service via the UAF.
Kernel stable patches address the issue by moving the load of the struct vc_data pointer to the top of the while loop in vcs_read() to ensure it occurs before console_unlock(). Affected users should apply commits such as 226fae124b2dac217ea5436060d623ff3385bc34, 55515d7d8743b71b80bfe68e89eb9d92630626ab, 6332f52f44b9776568bf3c0b714ddfb0bb175e78, 8506f16aae9daf354e3732bcfd447e2a97f023df, and af79ea9a2443016f64d8fd8d72020cc874f0e066 from the kernel stable repository.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59747
Vulnerability details
In the Linux kernel, the following vulnerability has been resolved: vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF After a call to console_unlock() in vcs_read() the vc_data struct can be freed by vc_deallocate(). Because of that,…
more
the struct vc_data pointer load must be done at the top of while loop in vcs_read() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 at addr ffff8881137479a8 by task 4a005ed81e27e65/1537 CPU: 0 PID: 1537 Comm: 4a005ed81e27e65 Not tainted 6.2.0-rc5 #1 Hardware name: Red Hat KVM, BIOS 1.15.0-2.module Call Trace: <TASK> __asan_report_load4_noabort (mm/kasan/report_generic.c:350) vcs_size (drivers/tty/vt/vc_screen.c:215) vcs_read (drivers/tty/vt/vc_screen.c:415) vfs_read (fs/read_write.c:468 fs/read_write.c:450) ... </TASK> Allocated by task 1191: ... kmalloc_trace (mm/slab_common.c:1069) vc_allocate (./include/linux/slab.h:580 ./include/linux/slab.h:720 drivers/tty/vt/vt.c:1128 drivers/tty/vt/vt.c:1108) con_install (drivers/tty/vt/vt.c:3383) tty_init_dev (drivers/tty/tty_io.c:1301 drivers/tty/tty_io.c:1413 drivers/tty/tty_io.c:1390) tty_open (drivers/tty/tty_io.c:2080 drivers/tty/tty_io.c:2126) chrdev_open (fs/char_dev.c:415) do_dentry_open (fs/open.c:883) vfs_open (fs/open.c:1014) ... Freed by task 1548: ... kfree (mm/slab_common.c:1021) vc_port_destruct (drivers/tty/vt/vt.c:1094) tty_port_destructor (drivers/tty/tty_port.c:296) tty_port_put (drivers/tty/tty_port.c:312) vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2)) vt_ioctl (drivers/tty/vt/vt_ioctl.c:903) tty_ioctl (drivers/tty/tty_io.c:2776) ... The buggy address belongs to the object at ffff888113747800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 424 bytes inside of 1024-byte region [ffff888113747800, ffff888113747c00) The buggy address belongs to the physical page: page:00000000b3fe6c7c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x113740 head:00000000b3fe6c7c order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0 anon flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 ffff888100042dc0 0000000000000000 dead000000000001 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888113747880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888113747980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888113747a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888113747a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The kernel use-after-free in vcs_read() directly enables local privilege escalation via arbitrary code execution or system compromise by a low-privileged attacker.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses the UAF in vcs_read() by applying kernel patches that relocate the vc_data pointer load before console_unlock().
Memory protection mechanisms such as KASLR, SMAP, and slab freelist randomization mitigate exploitation of the UAF by protecting against unauthorized memory access and pointer manipulation in the kernel.
Vulnerability monitoring and scanning, including fuzzers like Syzkaller and tools like KASAN, detect UAF issues in kernel subsystems like vc_screen prior to exploitation.